Overview

overview

10

Static

static

10

PAYMENTS.EXE.exe

windows7-x64

10

PAYMENTS.EXE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENTS.EXE.exe

  • Size

    4.0MB

  • MD5

    8fd42c8e20fd0d2bea21bbb085071a9b

  • SHA1

    226135f8d9a8b9d7d326f9056a2ec8ef29c2dd79

  • SHA256

    72e97fb5034c58f98b9faa58766a515374b5cde6433b14380cdefa694652f524

  • SHA512

    bb1c8b61380f65d55e8edadc54ae694c6a8a26f8e0b28c09d775f2a67cf7230005bc3d70e81660ebd9345bc08a94ccd851dcd92780cba730fb7698da27c51781

  • SSDEEP

    49152:NE6nkDXO+T4MNxdsLC+1qzIyq/6z7LSIrQmRiHFw8SHGggklJnh81NRvAe:9nkPqx6O6zSkZRiHLSHGggkl9mAe

Score
10/10
darkvisionexecutionrat

Malware Config

Extracted

Family

darkvision

C2

engvisited101.ddns.net

Signatures

  • DarkVision Rat

    DarkVision Rat is a trojan written in C++.

    ratdarkvision
  • Darkvision family
    darkvision
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 36 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 16 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENTS.EXE.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENTS.EXE.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrorne'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrorne'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
    • C:\ProgramData\Chrorne\Chrorne.exe
      "C:\ProgramData\Chrorne\Chrorne.exe" {C3640C55-7268-4A3D-82D1-9ACCF103690E}
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrorne'
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrorne'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4028
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1824
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4172
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Checks BIOS information in registry
        • Drops startup file
        PID:4944
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3136
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1960
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Checks BIOS information in registry
        • Drops startup file
        PID:3988
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1208
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:3960
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Checks BIOS information in registry
        • Drops startup file
        PID:3224
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1700
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:2820
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Checks BIOS information in registry
        • Drops startup file
        PID:4604
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:1332
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4540
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Checks BIOS information in registry
        • Drops startup file
        PID:1516
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Checks BIOS information in registry
        • Drops startup file
        PID:4176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Chrorne\Chrorne.exe
    Filesize

    4.0MB

    MD5

    8fd42c8e20fd0d2bea21bbb085071a9b

    SHA1

    226135f8d9a8b9d7d326f9056a2ec8ef29c2dd79

    SHA256

    72e97fb5034c58f98b9faa58766a515374b5cde6433b14380cdefa694652f524

    SHA512

    bb1c8b61380f65d55e8edadc54ae694c6a8a26f8e0b28c09d775f2a67cf7230005bc3d70e81660ebd9345bc08a94ccd851dcd92780cba730fb7698da27c51781

    Download Submit

  • C:\ProgramData\{0E02B3D6-40D0-48D9-92A9-A27212DB29D2}\{8AD7334A-E2FA-43F4-B97A-75D05756B56F}.bat
    Filesize

    101B

    MD5

    86ffa7331bc1cf8d74b3d63e711213c9

    SHA1

    7575c3ca977791e5163b5466bc0c84a1b8ba3bf4

    SHA256

    8d27496643c048c2773f87368d7b454cbc8e19a1086dc9054612199829fa361c

    SHA512

    7f2ecfe7ccab21dcd6bfaea565a69f768361c34580dbe8cdc099e7b8a82e2c74ed64189948edfcfe930c08ac0978f2f27f902c168459b3249b1d5ccb07317eb6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    fd9152fd0fab56908fe168af91a08303

    SHA1

    e4e64d449aaae4e5cda388fc492ff8ee0878af24

    SHA256

    a78dca0d470c353064c51dbe58a9bf408c188b65d44636759aace9011f5b482e

    SHA512

    c29093187dcc35ba79e20c11a00ad4063cb81bf7b0bc269f3aee66f583ebece5821cf1ac8748e49247a8eb0eccf4e47f5eb4c1f8577327d8a754a807d5a4aa16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uc4f0wck.l3l.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{C0D6986D-0020-4742-ABBA-51F33C94CFF4}.lnk
    Filesize

    1KB

    MD5

    2bbf6a601a5bd8bc2e4ff13091dfb73c

    SHA1

    f232264b60e78822ec831d4ae384f4da648ab0e5

    SHA256

    8821eb6a3f13016b4deeb100b4309ec1704d35cc86ca042bfeed4c4c616ad1ec

    SHA512

    84ed5294feb9fcd74697677a401b11044f0150d38009da1f20148e6e96d011733b60f39bea6bbea19db17f993e83e1d6c33c60071672a365406152d32e3ed799

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{C0D6986D-0020-4742-ABBA-51F33C94CFF4}.lnk
    Filesize

    1KB

    MD5

    b9830b8ce7bcd26e1c181244c9200ea5

    SHA1

    fe5a4708c49e467d03dc899d292118971e8ff28d

    SHA256

    227e5580e90d80d6fe049f55726d3c33c696eaeb6c2f4ba2908efb0f1090f1de

    SHA512

    f93b0cad2df0aa7b409053853187c640c8f126089678dfa647df236c830d60249428a88290d08ebe5b47184c75a28b99e0856c74a67a81ab7b7623ea1617c9ad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{C0D6986D-0020-4742-ABBA-51F33C94CFF4}.lnk
    Filesize

    1KB

    MD5

    315ddd40a49afc3e276180c30ba26829

    SHA1

    f6e00aab30b1ce3f7296ce1bff68c54cad7dab4b

    SHA256

    d6a2b2330f08cf04029af2cd044413df562e8db2bdb01064a70a7f8bad56ec10

    SHA512

    7f13f46361b34bd8ab59a31dd9441f0c4a9803b81653514d72ebc2a41c61264cf9900d1a63831d4979e7f71e7d87eb47a183f5ffc7bf54f36ed126da30ebf853

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{C0D6986D-0020-4742-ABBA-51F33C94CFF4}.lnk
    Filesize

    1KB

    MD5

    ae21d50a45e44d1be5b0bfc623dc783f

    SHA1

    8ec0cc75eda612f72cf769ed7ec935aad7eb6d3a

    SHA256

    e5528ea3b6d005ca6d0d2068bfce9c7a8e5c31c94c319debc4b9575bb3d0b24c

    SHA512

    bee241ed8f94c25d27e2495fdad89164f86b1238ae619e727a8dd4e56d46fa88f4a04ed6b505e122ccee7d60d1a081eee7c22e484cc4e2857b7791be85a4cfba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{C0D6986D-0020-4742-ABBA-51F33C94CFF4}.lnk
    Filesize

    1KB

    MD5

    397a574e4c2e6f8d32d76f1dabbe5eee

    SHA1

    a450a51f240ee4e91c3312bb88d92f8289484073

    SHA256

    9c06f9a4162f64d8139bb882191edc141a7420096350c1447e9e25207ac65f2b

    SHA512

    a9c94812ef503c5193378b1c79bed19f605b3414b7a28e90ff94cd83552f97f74e489f63b651525e45fc1647dfa20846c8218f2320cd659089925a0a58fb26b7

    Download Submit

  • memory/1088-9-0x00007FFF8E4F0000-0x00007FFF8E6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1088-83-0x00007FFF8E4F0000-0x00007FFF8E6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1088-82-0x00007FF65AB60000-0x00007FF65AF58000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1088-81-0x00007FF65AB60000-0x00007FF65AF58000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1088-7-0x00007FF65AB60000-0x00007FF65AF58000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-46-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-68-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-24-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-33-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-50-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-52-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-53-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-51-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-48-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-47-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-49-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-45-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-44-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-43-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-42-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-41-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-40-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-38-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-37-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-36-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-65-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-34-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-67-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-23-0x0000000000800000-0x0000000000801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-84-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-31-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-35-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-39-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-72-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-66-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-64-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-54-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1824-32-0x00000000029C0000-0x0000000002DB8000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2388-79-0x00007FFF8E4F0000-0x00007FFF8E6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2388-75-0x0000017174250000-0x000001717446C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2388-22-0x00000171745D0000-0x00000171745F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2388-11-0x00007FFF8E4F0000-0x00007FFF8E6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2388-12-0x00007FFF8E4F0000-0x00007FFF8E6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2388-10-0x00007FFF8E4F0000-0x00007FFF8E6E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4028-80-0x00000259F79A0000-0x00000259F7BBC000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5096-1-0x00007FFF8E590000-0x00007FFF8E592000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5096-8-0x00007FF680520000-0x00007FF680918000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/5096-0-0x00007FF680520000-0x00007FF680918000-memory.dmp

    Filesize

    4.0MB

    Download